13. Secret
- 概述
Secret的功能类似于ConfigMap给pod提供额外的配置信息,但是Secret是一种包含少量敏感信息例如密码、令牌或秘钥的对象
Secret的名称必须是合法的DNS子域名
每个Secret的大小最多为1MiB,注意是为了避免用户创建非常大的Secret进而导致API服务器和kubelet内存耗尽,不过创建很多小的Secret也可能耗尽内存,可以使用资源配额来约束每个名字空间中Secret的个数
在通过YAML文件创建Secret时,可以设置data或stringData资源,data和stringData字段都是可选的,data字段中所有键值都必须base64编码的字符串,如果不希望执行这种base64字符串的转换操作,也可以选择设置stringData字段,其中可以使用任何非加密的字符串作为其取值
Pod可以用三种方式的任意一种来使用Secret:
作为挂载到一个或多个容器上的卷中的文件(crt文件、key文件)作为容器的环境变量
有kubelet在为Pod拉取镜像时使用(与镜像仓库的认证)
13.1 Secret简介类型
Kubernetes默认支持多种不同类型的Secret,用于一不同的使用场景,不同类型的Secret配置参数也不一样
| Secret类型 | 使用场景 |
|---|---|
| Opaque | 用户定义的任意数据 |
| kubernetes.io/service-account-token | ServiceAccoubt 令牌 |
| kubernetes.io/dockercfg | ~/.dockercfg 文件序列化形式 |
| kubernetes.io/dockerconfigjson | ~/.docker/config.json 文件的序列化形式 |
| kubernetes.io/basic-auth | 用于基本身份认证的凭据 |
| kubernetes.io/ssh-auth | 用于SSH身份认证的凭据 |
| kubernetes.io/tls | 用于TLS环境,保存crt证书和key证书 |
| kubernetes.io/token | 启动引导令牌数据 |
13.2 data类型加密
- 不是加密会报语法错误
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo admin | base64
YWRtaW4K
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo 123456 | base64
MTIzNDU2Cg==
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 1-secret-Opaque-data.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret-data
namespace: myserver
type: Opaque
data:
user: YWRtaW4K
password: MTIzNDU2Cg==
age: MTgK #非base64加密的会报错
- 解密
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver mysecret-data -o yaml
apiVersion: v1
data:
age: MTgK
password: MTIzNDU2Cg==
user: YWRtaW4K
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"age":"MTgK","password":"MTIzNDU2Cg==","user":"YWRtaW4K"},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret-data","namespace":"myserver"},"type":"Opaque"}
creationTimestamp: "2022-11-26T02:47:26Z"
name: mysecret-data
namespace: myserver
resourceVersion: "777078"
uid: 5fef55f2-4eb0-4128-9ed6-cd97835b0643
type: Opaque
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo YWRtaW4K | base64 -d
admin
13.3 StringData
- 自动加密
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 2-secret-Opaque-stringData.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret-stringdata
namespace: myserver
type: Opaque
stringData:
user: 'admin'
password: '123456'
13.4 加密数据挂载做认证文件
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 3-secret-Opaque-mount.yaml
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: myserver-myapp-app1-deployment
namespace: myserver
spec:
replicas: 1
selector:
matchLabels:
app: myserver-myapp-app1
template:
metadata:
labels:
app: myserver-myapp-app1
spec:
containers:
- name: myserver-myapp-app1
image: tomcat:7.0.94-alpine
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /data/myserver/auth
name: myserver-auth-secret
volumes:
- name: myserver-auth-secret
secret:
secretName: mysecret-data #挂载指定的secret,挂载后会将base64解密为明文
---
apiVersion: v1
kind: Service
metadata:
name: myserver-myapp-app1
namespace: myserver
spec:
ports:
- name: http
port: 8080
targetPort: 8080
nodePort: 30018
protocol: TCP
type: NodePort
selector:
app: myserver-myapp-app1
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl exec -it -n myserver myserver-myapp-app1-deployment-5f5776776b-4vrld bash
bash-4.4# cd /data/myserver/auth
bash-4.4# ls
age password user
bash-4.4# cat password
123456
bash-4.4# cat user
admin
- 挂载的数据可以在etcd中找到
root@k8s-etcd1:~# etcdctl get / --keys-only --prefix | grep mysecret
/registry/secrets/myserver/mysecret-data
/registry/secrets/myserver/mysecret-stringdata
root@k8s-etcd1:~# etcdctl get /registry/secrets/myserver/mysecret-stringdata
/registry/secrets/myserver/mysecret-stringdata
k8s
v1Secretׄ
«
mysecret-stringdatmyserver"*$435fd42f-78d4-42d9-a077-8c001bdacf462ɾb
0kubectl.kubernetes.io/last-applied-configuration¸{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"mysecret-stringdata","namespace":"myserver"},"stringData":{"password":"123456","user":"admin"},"type":"Opaque"}
z܁
kubectl-client-side-applyUpdatevɾFieldsV1:
{"f:data":{".":{},"f:password":{},"f:user":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}}B password123456
useradminOpaque"
13.5 Kubernetes.io/tls-为nginx提供证书
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# mkdir -p certs
#生成证书
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.ca.com'
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.mysite.com'
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
#创建一个secrts 并指定证书 cert是公钥 key是私钥
kubectl create secret tls myserver-tls-key --cert=./server.crt --key=./server.key -n myserver
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret/certs# kubectl get secrets -n myserver myserver-tls-key
NAME TYPE DATA AGE
myserver-tls-key kubernetes.io/tls 2 19m
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret/certs# ll
total 28
drwxr-xr-x 2 root root 4096 Nov 26 05:17 ./
drwxr-xr-x 3 root root 4096 Jul 31 10:42 ../
-rw-r--r-- 1 root root 1809 Nov 26 05:14 ca.crt
-rw------- 1 root root 3272 Nov 26 05:14 ca.key
-rw-r--r-- 1 root root 1667 Nov 26 05:17 server.crt
-rw-r--r-- 1 root root 1590 Nov 26 05:16 server.csr
-rw------- 1 root root 3272 Nov 26 05:16 server.key
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 4-secret-tls.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: myserver
data:
default: |
server {
listen 80;
server_name www.mysite.com;
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;
location / {
root /usr/share/nginx/html;
index index.html;
if ($scheme = http ){ #未加条件判断,会导致死循环
rewrite / https://www.mysite.com permanent;
}
if (!-e $request_filename) {
rewrite ^/(.*) /index.html last;
}
}
}
---
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: myserver-myapp-frontend-deployment
namespace: myserver
spec:
replicas: 1
selector:
matchLabels:
app: myserver-myapp-frontend
template:
metadata:
labels:
app: myserver-myapp-frontend
spec:
containers:
- name: myserver-myapp-frontend
image: nginx:1.20.2-alpine
ports:
- containerPort: 80
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/conf.d/myserver
- name: myserver-tls-key
mountPath: /etc/nginx/conf.d/certs
volumes:
- name: nginx-config
configMap:
name: nginx-config
items:
- key: default
path: mysite.conf
- name: myserver-tls-key
secret:
secretName: myserver-tls-key
---
apiVersion: v1
kind: Service
metadata:
name: myserver-myapp-frontend
namespace: myserver
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30020
protocol: TCP
- name: htts
port: 443
targetPort: 443
nodePort: 30019
protocol: TCP
selector:
app: myserver-myapp-frontend
- 检测
#然后需要把证书引入到nginx配置文件中才能生效 否则你现在查看端口并没有监听443端口 然后重启 certs引入这个
#配置文件中已经把证书生成挂载过来了
/ # cd /etc/nginx/conf.d/certs
/etc/nginx/conf.d/certs # ls
tls.crt tls.key
#nginx配置文件已经挂载过来
/ # cd /etc/nginx/conf.d/myserver/
/etc/nginx/conf.d/myserver # ls
mysite.conf
#nginx.conf主配置文件中添加包含
include /etc/nginx/conf.d/myserver/*.conf;
nginx -t
nginx -s reload
netstat -tanlp
#显示证书
curl -lvk https://www.mysite.com
13.6 kubernetes.io/dockerconfig.json
#创建私有仓库认证文件
kubectl create secret generic aliyun-registry-image-pull-key \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson \
-n myserver
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver
NAME TYPE DATA AGE
aliyun-registry-image-pull-key kubernetes.io/dockerconfigjson 1 45s
myserver-tls-key kubernetes.io/tls 2 114m
#查看创建的认证信息
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver aliyun-registry-image-pull-key -o yaml
apiVersion: v1
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSJoYXJib3IubmJyaGNlLmNvbSI6IHsKCQkJImF1dGgiOiAiY1hWNWFUcElZWEppYjNJeE1qTTBOUT09IgoJCX0KCX0KfQ==
kind: Secret
metadata:
creationTimestamp: "2022-11-26T07:13:15Z"
name: aliyun-registry-image-pull-key
namespace: myserver
resourceVersion: "807752"
uid: d8949f22-addc-4aef-a958-2249d967758c
type: kubernetes.io/dockerconfigjson
- YAML文件 可以拉取的
#这个关键字就是 imagePullSecrets 拉取认证信息
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 5-secret-imagePull.yaml
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: myserver-myapp-frontend-deployment
namespace: myserver
spec:
replicas: 1
selector:
matchLabels:
app: myserver-myapp-frontend
template:
metadata:
labels:
app: myserver-myapp-frontend
spec:
containers:
- name: myserver-myapp-frontend
image: registry.cn-qingdao.aliyuncs.com/zhangshijie/nginx:1.16.1-alpine-perl
ports:
- containerPort: 80
imagePullSecrets:
- name: aliyun-registry-image-pull-key
---
apiVersion: v1
kind: Service
metadata:
name: myserver-myapp-frontend
namespace: myserver
spec:
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30022
protocol: TCP
type: NodePort
selector:
app: myserver-myapp-frontend